Gsm fundamentals

1.0 Introduction

Third generation or 3G is now the generally accepted term used to describe the next wave of

mobile networks and services. First generation (1G) is used to categorize the first analogue

mobile systems that emerged in the 1980s, such as the advanced mobile phone system

(AMPS) and nordic mobile telephony (NMT). These systems provided a limited mobile

solution for voice, but had major limitations, particularly in terms of interworking, security

and quality. The next wave, second generation (2G), arrived in the late 1980s and moved

towards a digital solution which gave the added benefit of allowing the transfer of data and

provision of other non-voice services. Of these, the global system for mobile communication

(GSM) has been the most successful, with its global roaming model. Third generation (3G)

leverages on the developments in cellular to date, and combines them with complementary

developments in both the fixed-line telecoms networks and from the world of the Internet.

The result is the development of a more general purpose network, which offers the

flexibility to provide and support access to any service, regardless of location [1].

1.1 First Generation

First-generation cellular radio network includes the mobile terminals, the base stations and

the mobile switching centers. First-generation wireless systems provide analog speech and

inefficient, low-rate data transmission between the base station and the mobile user. The

speech signals are usually digitized for transmission between the base station and the MSC.

Advance mobile phone system is an example of the first-generation wireless network which

was first built by engineers from AT&T Bell Laboratories. In the first-generation cellular

networks, the MSC maintains all mobile related information and controls each mobile

handoff. The MSC also performs all of the network management functions, e.g., call

handling and processing, billing, etc. The MSC is interconnected with the PSTN via wired

trunks and a tandem switch. MSCs are also connected with other MSCs via dedicated

signaling channels (mostly via SS7 network) for the exchange of location, authentication,

and call signaling information. The US cellular carriers use the IS-41 protocol [IS41] to

1

allow MSCs of different service providers to pass information about their subscribers to

other MSCs on demand. IS-41 relies on the autonomous registration feature of AMPS [2]. A

mobile uses autonomous registration to notify a serving MSC of its presence and location.

The mobile accomplishes this by periodically transmitting its identity information, e.g., MIN

and ESN, which allows the MSC to constantly update an entry in its database about the

whereabouts of the mobile. The MSC is able to distinguish home users from roaming users

based on the MIN of each active user. The Home Location Register (HLR) keeps the

location information of each home subscriber while the Visiting Location Register (VLR)

only keeps information of a roaming user. The visited system creates a VLR record for each

new roamer and notifies the home system via the IS-41 so it can update its own HLR [1].

Through first generation, a voice call gets modulated to a higher frequency of about

150MHz and up as it is transmitted between radio towers. This is done using a technique

called Frequency-Division Multiple Access (FDMA).In terms of overall connection quality,

first generation compares unfavourably to its successors. It has low capacity, unreliable

handoff, poor voice links, and no security at all since voice calls were played back in radio

towers, making these calls susceptible to unwanted eavesdropping by third parties. However,

first generation did maintain a few advantages over second generation. In comparison to first

generation’s analog signals, second generation digital signals are very reliant on location and

proximity. If a 2G handset made a call far away from a cell tower, the digital signal may not

be strong enough to reach it. While a call made from a first generation handset had generally

poorer quality than that of a first generation handset, it survived longer distances. This is due

to the analog signal having a smooth curve compared to the digital signal, which had a

jagged, angular curve. As conditions worsen, the quality of a call made from a first

generation handset would gradually worsen, but a call made from a second generation

handset would fail completely [3].

2

Fig.1.0 Architecture of first generation [2]

1.2 Second Generation

The roots of the development of the global system for mobile communications (GSM) began

with a group formed by the European Conference of Postal Telecommunications

Administrations (CEPT) to investigate the development of a standard mobile telephone

system to be used throughout Europe. This group was known as the Groupe Special Mobile

or GSM for short, and this is initially where the acronym GSM came from; however, it is

now widely understood to stand for global system for mobile communications. A unified

telephone system was desirable since Europe is made up of many separate countries each

with their own government, language, culture and telecommunication infrastructure, much

of which was still in the hands of state-run monopolies. As there is much trade between

these countries, a mobile network which would free users to roam internationally from

country to country was seen as a valuable asset. The other major region to discuss in parallel

is movements in mobile communications in the USA. Mobile technology was advancing

there also, but the motivation to provide roaming capabilities was not such a fundamental

PSTN

Mobile Station (MS)

Base Transceiver Station (BTS)

Mobile Station Controller (MSC)

Base Station Controller (BSC)

Visitors Location Register (VLR)

Home Location Register (HLR)

3

requirement, since it is one country. There was and is considerable regionalization of

communications in the USA and this was reflected in the proliferation of mobile devices,

where operators only needed to cater for the domestic market. GSM was eventually adopted

as a European standard by the European Telecommunications Standards Institute (ETSI). It

has been standardized to operate on three principal frequency regions, being 900 MHz, 1800

MHz and 1900 MHz. GSM is by far the most successful of the second generation cellular

systems, and has seen widespread adoption not only across Europe but also throughout the

Asia-Pacific region, and more recently, the Americas. Some of the large mobile network

operators in the USA are also introducing GSM, either as a migration step towards the

UMTS flavour of 3G or simply in addition to the current offerings [3].

1.2.1 General Architecture

From figure 1.1 which shows the general architecture for a GSM network. The various

functional blocks are explained as followed.

Mobile station (MS)

The MS consists of the mobile equipment (ME; the actual device) and a smart card called

the subscriber identity module (SIM). The SIM offers personal mobility since the user can

remove the SIM card from one mobile device and place it in another device without

informing the network operator. In contrast, most other 2G systems require a registration

update to the operator. The SIM contains a globally unique identifier, the international

mobile subscriber identity (IMSI), as well as a secret key used for authentication and other

security procedures. The IMSI (or a variation of it for security purposes) is used throughout

the network as the identifier for the subscriber. This system enables a subscriber to change

the mobile equipment and still be able to make calls, receive calls and receive other

subscriber information by simply transferring the SIM card to the new device. Any calls

made will appear on a single user bill irrespective of changes in the mobile device [2]. The

mobile equipment is also uniquely identifiable by the international mobile equipment

identity (IMEI). The IMEI and IMSI are independent, thus providing the user flexibility by

4

separating the concept of subscriber from access device. Many operators still issue ‘locked’

mobile devices where the equipment is tied for use only on a particular operator’s network.

A mobile device not equipped with a SIM must also still be able to

Fig 1.1 Architecture of second generation

make emergency calls. To protect the call from undesirable snooping or listening in, the

IMSI will not always be transmitted over the cell to identify the subscriber. Instead a

temporary IMSI (T-IMSI) identifier is used and changed at regular intervals. Note that for

extra security the whole data stream is encrypted over the air interface.


Authentication Centre (AUC)

User Equipment (UE)

PSTN

Equipment Identity Register (EIR)

GMSC

Base Transceiver Station (BTS)

Mobile Station Controller (MSC)

TRAU


5

Base station subsystem (BSS)

The base station subsystem (BSS) is composed of three parts, the base transceiver station

(BTS), the base station controller (BSC), which controls the BTSs, and the transcoding and

rate adaption unit (TRAU) [1].

Base transceiver station (BTS)

The BTS houses the radio transceivers (TRXs) that define a cell and handle the radio link

with the mobile station. As was seen, each transceiver can handle up to eight full-rate users

simultaneously. If more than eight full-rate users request resources within the TRX then they

will receive a busy tone, or a network busy message may be displayed on the mobile device.

It is possible to increase the number of simultaneous users in a cell by increasing the number

of TRXs, hence the number of frequencies used. When a mobile device moves from one cell

to another the BTS may change. Within the GSM system a mobile device is connected to

only one BTS at a given time. The first TRX in a cell can actually only handle a maximum

of seven (possibly less) simultaneous users since one channel on the downlink is used for

broadcasting general system information through what is known as the broadcast and control

channel (BCCH). The BTS is also responsible for encrypting the radio link to the mobile

device based on security information it receives from the core network [3].

Base station controller (BSC)

The BSC manages the radio resources for one or more BTSs. It handles the radio channel

setup, frequency hopping and handover procedures when a user moves from one cell to

another. When a handover occurs, the BSC may change; it is a design consideration that this

will not change with the same regularity as a BTS change. A BSC communicates with the

BTS through time division multiplex (TDM) channels over what is referred to as the Abis

interface, generally implemented using E1 or T1 lines. If the numerous BTSs and the

corresponding BSC are in close proximity then this link may be a fibre optic or copper cable

connection. In some cases, there are a large number of BTSs in close proximity but quite

6

some distance away from the controlling BSC. In such cases it may be more efficient to

relay the calls from each of the BTSs to a single BTS via microwave links. This type of link

may be very cost effective since generally the running costs of a point-to-point microwave

link may be free. Of course this has to be weighed against the cost of the purchasing and

deployment of the equipment. The collector BTS can then connect to the BSC via another

microwave link or via a landline cable. A problem with the above system is that if the

collector BTS fails then calls from the other BTSs may also fail. To overcome this problem

it is possible to have two collector BTSs both sending the calls to the BSC. This forms a

redundant link and if one collector BTS fails then this does not present such a large problem,

as is illustrated in Figure 1.3

Transcoding and rate adaption unit (TRAU)

The central role of the second generation systems is to transfer speech calls and the system

has been designed and optimized for voice traffic. The human voice is converted to binary in

a rather complex process. GSM is now quite an old system and as such the original encoding

method used (LPC-RPE1) is not as efficient as some of the more recently developed coding

systems such as those used in other cellular systems. There have been many developments

in digital signal processing (DSP) which have enabled good voice quality to be transmitted

at lower data rates. Although the TRAU is actually

7

Fig1.3 Base Station Connectivity

seen as being logically part of the BSS, it usually resides close to the MSC since this has

significant impact on reducing the transmission costs [2]. The voice data is sent in a 16 kbps

channel through to the TRAU from the mobile device via the BTS and BSC. The

transcoding and rate adaptation unit will convert this speech to the standard 64 kbps for

transfer over the PSTN or ISDN network. Where over the air interface; speech uses 13 kbps

(full-rate) and data 9.6 or 14.4 kbps, with each of these requiring a 16 kbps link through the

BSS. As has been mentioned, digital voice data is robust in the face of errors, and can

handle substantial bit error rates before the user begins to notice signal degradation. This is

in stark contrast to data such as IP packets, which is extremely error intolerant and a

checksum is generally used to drop a packet which contains an error. The adaptive multirate

(AMR) speech CODECS which are implemented in UMTS and also the enhanced full-rate

(EFR) bit rates for the second generation GSM, TDMA and PDC systems for comparison.

The GSM EFR uses the algebraic code excited linear prediction (ACELP) algorithm and

gives better quality speech than full-rate (FR) using 12.2 kbps. A half-rate (HR) method of


BTS

BTS

BTS BTS

BTS

BTS

Base Station Controller (BTS)

BTS

8

speech coding has also been introduced in to the standards, which is known as code excited

linear prediction-vector sum excited linear prediction (CELP-VSELP). This method will

enable two subscribers to share a single time slot [4].

Network switching subsystem (NSS)

The NSS comprises the circuit switched core network part of the GSM system. The main

element is the mobile switching centre (MSC) switch and a number of databases refer to as

the visitor location register (VLR) and home location register (HLR). The HLR is always in

the home network for roaming subscribers and thus any data exchange may have to cross

international boundaries. The MSC and VLR are usually combined and are located in the

visited network.

Mobile switching centre (MSC)

This acts like a normal switching node for a PSTN or ISDN network. It also takes care of all

the additional functionality required to support a mobile subscriber. It therefore has the dual

role of both switching and management. When a mobile device is switched on and requests

a connection to a mobile network, it is principally the MSC that processes this request, with

the BSS merely providing the access to facilitate this request. If the request is successful

then the MSC registers the mobile device within its associated VLR (see below; most

manufacturers tend to combine the VLR functionality with the MSC). The VLR will update

the HLR with the location of this mobile device, and the HLR may be either in the same

network, or a different network in the case of a roaming user.

The MSC deals with registration, authentication (the MSC requests information from the

authentication centre but it is the MSC which actually does the authentication), mobile

device location updating and routing of calls to and from a mobile user. An MSC which

provides the connectivity from the mobile network to the fixed network, e.g. ISDN or

PSTN, is known as a gateway-MSC (G-MSC) [2].

9


When a subscriber registers with an operator, they enter into what is known as a service

level agreement (SLA). This operator’s mobile network is known as the home network or

home public land mobile network (H-PLMN). The HLR is a huge database located within

this home network which stores administrative information about the mobile subscriber. The

information stored for a user in the HLR will include their IMSI, service subscription

information, service restrictions and supplementary services. The HLR is also expected to

know the location of its mobile users. It actually knows their location only to the VLR with

which the mobile device is registered. The HLR also only knows the location of a mobile

device which is switched on and has registered with some mobile operator’s network. This

is the case even if the mobile is in a different country connected to another mobile operator’s

network, as long as a roaming agreement exists between the two mobile operators. The

GSM system provides all the technical capabilities to support roaming; however, this

roaming agreement is also required so that both operators can settle billing issues arising

from calls made by visiting mobile subscribers.

Visitor Location Register (VLR)

The VLR is another database of users and is commonly integrated with an MSC. Unlike the

HLR, where most information is of a permanent nature, the VLR only holds temporary

information on subscribers currently registered within its vicinity. This vicinity covers the

subscribers in the serving area of its associated MSC. When a mobile device enters a new

area, the mobile device may wish to connect to this network and if so informs the MSC of

its arrival. Once the MSC checks are complete, the MSC will update the VLR. A message is

sent to the HLR informing it of the VLR which contains the location of the mobile. If the

mobile device is making or has recently made a call, then the VLR will know the location of

the mobile device down to a single cell. If the mobile device has requested and been granted

attachment to a mobile network, but not made any calls recently, then the location of the

mobile device will be known by the VLR to a location area, i.e. a group of cells and not a

single cell [1].

10

Equipment Identity Register (EIR)

The EIR is a list of all valid mobiles on the network. If a terminal has been reported stolen

or the equipment is not type approved then it may not be allowed to operate in the network.

The terminals are identified by their unique IMEI identifier [5].

Authentication Centre (AuC)

The AuC is a database containing a copy of the secret key present in each of the users’ SIM

cards. This is used to enable authentication and encryption over the radio link. The AuC

uses a challenge–response mechanism, where it will send a random number to the mobile

station; the mobile station encrypts this and returns it. The AuC will now decrypt the

received number and if it is successfully decrypted to the number originally sent, then the

mobile station is authenticated and admitted to the network. To make and receive calls, the

location of the mobile device has to be known by the network. It would be extremely

inefficient if a user needed to be paged across an entire network, and almost impossible to

support roaming to other networks. Each cell broadcasts its globally unique identity on its

broadcast channel, which is used by the mobile device for location purposes. Mobility

management is the mechanism that the network uses for keeping a dynamic record of the

location of all of the mobile devices currently active in the network. In this context, location

does not refer specifically to the geographical location of the mobile device, but rather its

location with respect to a cell in which it is currently located. However, for the development

of cellular towards third generation, geographical location becomes important as an enabler

for location-based services (LBS). The major benefit of the cellular telephone over a fixed

landline is the mobility that it presents to the subscriber. Initially, this mobility was merely

allowing the user to move around and be tracked within a certain area; however, now

mobility extends to cover the concept of roaming. Unfortunately, the provision of mobility

makes the network much more complex to design and operate. As a subscriber moves from

one location to another, the strength of the signal it receives from the base station to which it

is currently listening will fluctuate, and, conversely, the signal received by the base station

from the mobile device will also vary. Both the network and the mobile device must

11

constantly monitor the strength of the signal, with the mobile device periodically reporting

the information it has measured to the network. The mobile device also monitors the

strength of other cells in the vicinity. When the signal strength gets too weak from a

particular base station, a handover (also known as a handoff) to a base station in another cell

may take place. The network must try to guarantee that in the event of a handover, the user

call is not dropped and there is a smooth transition from cell to cell, even if the user is

moving quite rapidly, as is the case for a motorist. The HLR, which is in the home network,

knows which VLR has information regarding the particular subscriber. The information the

VLR holds depends on the connection state of the mobile device: in idle mode only the

location area (LA) is known whereas in dedicated mode the actual cell is known. Most of

the GSM mobile network is designed and implemented in a hierarchical manner. The change

of a cell from one base station to another is relatively simple if the BTSs are controlled by

the same BSC. The change of a BSC is more complex and hence will require more

signalling but will occur less frequently since each BSC controls a number of BTSs. A

change of the MSC is also possible but, again, this should be rather infrequent for most

users. If a user is in a vehicle and moving at high speed, then a number of MSC handovers

may take place during a prolonged voice call. However, this will probably occur rarely as

the vehicle will likely have crashed or the driver been arrested before handover occurs! This

system of handover enables a subscriber to continue with a call in progress while moving

from one geographical area to another.

• When User 1 changes from one cell to another, a cell update is required. As noted, this

does not require much in the way of signalling.

• When User 2 changes cell, a cell update and a BSC update are required. This will require

more signalling, with the MSC controlling the change in BSC.

• When User 3 changes cell, a cell update, a BSC update and an MSC update are required.

This is a much more complex task, which will require a greater amount of signalling. Note

that these updates only take place when a mobile device has a call in progress, or in what is

referred to as dedicated mode. Mobile devices which do not have a call in progress but may

12

have registered with the network are said to be in idle mode. Mobile devices in idle mode

will only send periodic updates indicating that the mobile is still active, thus reducing the

signalling load on the network. When a user wishes to make a call, the mobile device will

transparently update the network as to its position and move to dedicated mode. In idle

mode the location of the mobile device is still known but over a number of cells rather than

a single cell. In idle mode the mobile device monitors a certain area spanning a number of

cells, known as a Location Area (LA), and sends location update information to the network

when the mobile device physically crosses a boundary between LAs. A certain period of

time has elapsed. Even when the mobile device is stationary, after a long period of inactivity

it will send an update to allow the network to refresh its stored information regarding the

subscriber’s location. Devices which do not send this update will be assumed to have left the

coverage area and their data may be removed from the network. This interval is network

configurable and could be, for example, one hour.

1.2.2 GSM Air Interface

There is a limited spectrum of frequencies that is both available and suitable for GSM.

Cellular operators have to compete for this bandwidth with the likes of the military,

broadcast television and broadcast radio. The available electromagnetic spectrum has been

split into a number of bands by both national and international regulatory bodies.

Fortunately there was much international agreement on the frequencies in the 900 MHz and

1800 MHz bands, which brought in large economies of scale, reducing the price of handsets,

and thus enabling GSM to flourish. GSM was originally designed to work in a 900 MHz

band but is now used in 1800 MHz, 1900 MHz and a number of others, such as 450 MHz.

As shown in Figure 1.4, the 900 MHz range is made up of two separate 25 MHz bands,

between 890–915 MHz and 935–960 MHz. The lower 25 MHz is used for the mobile

station, or uplink, transmission and the upper 25 MHz of the range is

13

GSM Mobile Station

Transmits

20MHz GSM Base Station Transmits

890 915 935 960

Fig 1.4: GSM original band

used for base station, or downlink, transmission. There is a gap of 20 MHz between the

transmission sub-bands i.e. the GSM base station transmit band starts at 890 + 45 MHz. The

mobile device transmits on the lower frequency since it is a physical property of

electromagnetic waves that there will generally be less attenuation on lower frequencies.

The base station is not reliant on a small battery and can therefore radiate greater power,

thus the greater attenuation in the downlink is not seen as a major problem, allowing the

mobile device to avail itself of better transmission characteristics. As discussed, GSM works

on a combination of frequency division multiplexing (FDM), and time division multiplexing

(TDM) multiple access schemes. It also uses slotted-Aloha, a contention method which is

similar in operation to Ethernet. This contention mechanism is required since it is possible

for two mobile subscribers to make a request for resources at exactly the same time. The

mobile stations use this contention method to compete with each other to request a traffic

channel (TCH), which is required for a call. Like Ethernet, there is a chance that a collision

will occur, so mechanisms are implemented to deal with this. The FDM allocates each GSM

channel 200 kHz of bandwidth and therefore there are 25 MHz/200 kHz = 125 channels

available in each direction. One of these channels is not used for data transfer but is used as

a guard band, leaving 124 channels available for communication. A matching pair of GSM

frequency channels, i.e. one uplink and a corresponding downlink, is controlled by a device

referred to as a transceiver (TRX). All of the operators in a country using GSM900 have to

share these 124 channels and they will be allocated a licence covering a range of them by the

national telecommunications regulator. Say there are four mobile operators in a given

country. Each of them may be allocated 31 channels (124/4). For example, Operator 1 may

be allocated 31 channels starting from 890.0 MHz, 890.2 MHz, and 890.4 MHz etc. up to

14

896.0 MHz in the uplink and 935.0 MHz, 935.2 MHz, 935.4 MHz etc. up to 941.0 MHz in

the downlink, as shown in Figure 3.8. TDM further splits each of these frequency channels

into eight separate time slots, each of which may be allocated to a user or used for control

purposes. These time slots are individually referred to as slot 0 through to slot 7, and form a

TDM frame. A single time slot in GSM is also referred to as a burst; however, this should

not be confused with the term ‘error burst’. If a cell is allocated a single frequency (one

TRX) then slot 0 on this frequency is reserved as a control channel. If two or more

frequencies are employed within the cell then it may require additional control channels to

increase the overall efficiency. The slot 0 control channel always includes the broadcast and

control channel (BCCH), which is broadcast from the base station in the downlink to

provide information to the mobile devices registered in the cell, such as the cell identifier,

network operator etc.[3,4]

1.3 Deficiencies of First- and Second-Generation Wireless Systems

First-generation cellular systems provide connection-oriented services for each voice user.

Voice channels are dedicated to the users at a serving base station and network resources are

dedicated to the voice traffic on initiation of a call. The MSC sets up a dedicated voice

channel connection between the base station and the PSTN for the duration of a cellular

phone call. Circuit switching is used to transmit voice traffic to and from the user's terminal

to the PSTN. Circuit switching establishes a dedicated radio channel between the base

station and the mobile, and a dedicated phone line between the MSC and the PSTN for the

entire duration of a call. First-generation cellular systems provide data communications

using circuit switching. Wireless data services such as fax and electronic mail are not well

supported by circuit switching because of their short, bursty transmission, which are

followed by periods of inactivity. Often, the time required to establish a circuit exceeds the

duration of the data transmission. Modem signals carrying data need to be passed through

the audio filters that are designed for analog, FM, and common air interfaces. Thus, it is

both clumsy and inefficient, e.g., voice filtering must be deactivated when data are

transmitted [6].

15

1.4 Third-Generation Wireless Networks

The deficiencies of the first- and second-generation wireless systems prevent them from

allowing roaming users to enjoy high data rate connections and multimedia

communications. The aim of third-generation wireless networks is to introduce a single set

of standards that provide higher airlink bandwidth and support multimedia applications. In

addition, the third-generation wireless systems are expected to be able to communicate with

other information networks, e.g., the Internet and other public and private databases.

Examples of third-generation wireless systems are TIA IxEV Data Only (or commonly

referred to as High Data Rate system)-based networks [EVDO], TIA IxEVDV-based

networks [EVDV], and 3GPP UMTS networks [UMTS]. Such 3G systems promise a peak

airlink bandwidth of 2-3Mbps [4].

1.4.1 UMTS / WCDMA Network Architecture

The UMTS network architecture is required to provide a greater level of performance to that

of the original GSM network. However as many networks had migrated through the use of

GPRS and EDGE, they already had the ability to carry data. Accordingly many of the

elements required for the WCDMA / UMTS network architecture were seen as a migration.

This considerably reduced the cost of implementing the UMTS network as many elements

were in place or needed upgrading. With one of the major aims of UMTS being to be able to

carry data, the UMTS network architecture was designed to enable a considerable

improvement in data performance over that provided for GSM [5].

The UMTS network architecture can be divided into three main elements:

User Equipment (UE): The User Equipment or UE is the name given to what was previous

termed the mobile, or cellphone. The new name was chosen because the considerably

greater functionality that the UE could have. It could also be anything between a mobile

phone used for talking or a data terminal attached to a computer with no voice capability.

16

Radio Network Subsystem (RNS): The RNS is the equivalent of the previous Base Station

Subsystem or BSS in GSM. It provides and manages the air interface for the overall

network.

Core Network: The core network provides all the central processing and management for

the system. It is the equivalent of the GSM Network Switching Subsystem or NSS. The

core network is then the overall entity that interfaces to external networks including the

public phone network and other cellular telecommunications networks.

Fig. 1.5 UMTS Network Architecture Overview

User Equipment, UE

The User Equipment UE is a major element of the overall UMTS network architecture. It

forms the final interface with the user. In view of the far greater number of applications and

facilities that it can perform, the decision was made to call it user equipment rather than a

mobile. However it is essentially the handset (in the broadest terminology), although having

access to much higher speed data communications, it can be much more versatile,

17

containing many more applications. It consists of a variety of different elements including

RF circuitry, processing, antenna, battery, etc.

There are a number of elements within the UE that can be described separately:

User Equipment RF circuitry: The RF areas handle all elements of the signal, both for the

receiver and for the transmitter. One of the major challenges for the RF power amplifier was

to reduce the power consumption. The form of modulation used for W-CDMA requires the

use of a linear amplifier. These inherently take more current than non linear amplifiers

which can be used for the form of modulation used on GSM. Accordingly to maintain

battery life, measures were introduced into many of the designs to ensure the optimum

efficiency.

Baseband processing: The base-band signal processing consists mainly of digital circuitry.

This is considerably more complicated than that used in phones for previous generations.

Again this has been optimised to reduce the current consumption as far as possible.

Battery: While current consumption has been minimised as far as possible within the

circuitry of the phone, there has been an increase in current drain on the battery. With users

expecting the same lifetime between charging batteries as experienced on the previous

generation phones, this has necessitated the use of new and improved battery technology.

Now Lithium Ion (Li-ion) batteries are used. These phones to remain small and relatively

light while still retaining or even improving the overall life between charges.

Universal Subscriber Identity Module, USIM: The UE also contains a SIM card, although

in the case of UMTS it is termed a USIM (Universal Subscriber Identity Module). This is a

more advanced version of the SIM card used in GSM and other systems, but embodies the

same types of information. It contains the International Mobile Subscriber Identity number

(IMSI) as well as the Mobile Station International ISDN Number (MSISDN). Other

information that the USIM holds includes the preferred language to enable the correct

language information to be displayed, especially when roaming, and a list of preferred and

18

prohibited Public Land Mobile Networks (PLMN). The USIM also contains a short

message storage area that allows messages to stay with the user even when the phone is

changed. Similarly "phone book" numbers and call information of the numbers of incoming

and outgoing calls are stored.

The UE can take a variety of forms, although the most common format is still a version of a

"mobile phone" although having many data capabilities. Other broadband dongles are also

being widely used [5].

1.4.2 UMTS Radio Network Subsystem

This is the section of the UMTS / WCDMA network that interfaces to both the UE and the

core network. The overall radio access network, i.e. collectively all the Radio Network

Subsystem is known as the UTRAN UMTS Radio Access Network.

The Radio Network Subsystem comprises two main components:

Radio Network Controller, RNC: This element of the radio network subsystem controls the

Node Bs that are connected to it. The RNC undertakes the radio resource management and

some of the mobility management functions, although not all. It is also the point at which

the data encryption / decryption is performed to protect the user data from eavesdropping.

Node B: Node B is the term used within UMTS to denote the base station transceiver. It

contains the transmitter and receiver to communicate with the UEs within the cell. In order

to facilitate effective handover between Node Bs under the control of different RNCs, the

RNC not only communicates with the Core Network, but also with neighbouring RNCs.

19

Fig 1.6 UMTS Radio Network Subsystem Architecture

UMTS Core Network

The UMTS core network architecture is a migration of that used for GSM with further

elements overlaid to enable the additional functionality demanded by UMTS. In view of the

different ways in which data may be carried, the UMTS core network may be split into two

different areas:

Circuit switched elements: These elements are primarily based on the GSM network

entities and carry data in a circuit switched manner, i.e. a permanent channel for the duration

of the call.

Packet switched elements: These network entities are designed to carry packet data. This

enables much higher network usage as the capacity can be shared and data is carried as

packets which are routed according to their destination. Some network elements,

particularly those that are associated with registration are shared by both domains and

operate in the same way that they did with GSM [1].

20

Fig 1.7 UMTS Core Network

Circuit Switch Elements

The circuit switched elements of the UMTS core network architecture include the following

network entities:

Mobile switching centre (MSC): This is essentially the same as that within GSM, and it

manages the circuit switched calls under way. The mobile switching centre (MSC) is the

centre piece of the circuit switched core network. The same MSC can be used to serve both

the GSM-BSS and the UTRAN connections. A GSM-MSC must be upgraded to meet the

3G requirements, but the same MSC can be used to serve both access networks. In addition

to the radio access networks, it has interfaces to the fixed PSTN network, other MSCs, the

packet-switched network (SGSN), and various core network registers (HLR, EIR, AuC).

Physically, the VLR is implemented in connection with the MSC, so the interface between

them (the B interface) exists only logically. Several BSSs can be connected to the MSC. The

number and the size of MSCs also vary; a small operator may only have one small MSC, but

once the number of subscribers increase, several large MSCs may be needed.

The functions of an MSC include the following [1]:

• Paging;

21

• Coordination of call setup from all MSs in the MSC’s jurisdiction;

• Dynamic allocation of resources;

• Location registration;

• Interworking functions (IWFs) with other type of networks;

• Handover management (especially the complex inter-MSC handovers);

• Billing of subscribers (not the actual billing, but collecting the data for the billing center);

• Encryption parameter management;

• Signaling exchange between different interfaces;

• Frequency allocation management in the whole MSC area;

• Echo canceler operation and control.

The MSC terminates the MM and CM protocols of the air interface protocol stack, so the

MSC has to manage these protocols, or delegate some responsibilities to other core network

elements.

Gateway MSC (GMSC): This is effectively the interface to the external networks. The

Gateway MSC (GMSC) is an MSC that is located between the PSTN and the other MSCs in

the network. Its function is to route the incoming calls to the appropriate MSCs by first

interrogating the appropriate HLR. If the operator allows the outside networks to access its

HLRs, then a dedicated GMSC is not necessary as the other networks can route the calls to

the right MSC by themselves. In practice it is also possible that all MSCs are also GMSCs in

a PLMN.

Packet Switched Elements:

The packet switched elements of the UMTS core network architecture include the following

network entities: Serving GPRS Support Node (SGSN): As the name implies, this entity

was first developed when GPRS was introduced, and its use has been carried over into the

UMTS network architecture. The SGSN provides a number of functions within the UMTS

network architecture.

22

Mobility management: When a UE attaches to the Packet Switched domain of the UMTS

Core Network, the SGSN generates MM information based on the mobile's current location.

Session management: The SGSN manages the data sessions providing the required quality

of service and also managing what are termed the PDP (Packet data Protocol) contexts, i.e.

the pipes over which the data is sent.

Interaction with other areas of the network: The SGSN is able to manage its elements

within the network only by communicating with other areas of the network, e.g. MSC and

other circuit switched areas.

Billing: The SGSN is also responsible for billing. It achieves this by monitoring the flow of

user data across the GPRS network. CDRs (Call Detail Records) are generated by the SGSN

before being transferred to the charging entities (Charging Gateway Function, CGF).

Gateway GPRS Support Node (GGSN): Like the SGSN, this entity was also first

introduced into the GPRS network. The Gateway GPRS Support Node (GGSN) is the

central element within the UMTS packet switched network. It handles inter-working

between the UMTS packet switched network and external packet switched networks, and

can be considered as a very sophisticated router. In operation, when the GGSN receives data

addressed to a specific user, it checks if the user is active and then forwards the data to the

SGSN serving the particular UE [3].

Shared Elements

The shared elements of the UMTS core network architecture include the following network

entities:

Visitor Location Register

The visitor location register (VLR) contains information about the mobile stations roaming in

this MSC area. It is also possible that one VLR handles the visitor register of several MSC

areas. Note that a VLR contains information from all active subscribers in its area, even from

those to whom this network is their home network, so the name VLR is misleading as most

23

entries in that register are not visitors, but users in their own home network. The VLR contains

pretty much the same information as the home location register (HLR), the difference being that

the information in the VLR is there temporarily, whereas the HLR is a site for permanent

information storage. When a user makes a subscription, the subscriber’s data is added to his

home HLR. From there it is copied to the VLR the user is currently registered with. When a

user registers with another network, the subscriber data is removed from the old VLR and

copied to the new VLR. There are, however, some network optimization schemes, which may

change this principle in the future. The VLR contains such data that the normal call setup

procedures can be handled without consulting the HLR. This is important especially if the user

is roaming abroad, and the signalling connection to the home network is expensive.

A VLR subscriber data entry includes the following information:

• International mobile subscriber identity (IMSI);

• Mobile station international ISDN number (MSISDN);

• Mobile station roaming number (MSRN);

• Temporary mobile station identity (TMSI), if applicable;

• Local mobile station identity (LMSI), if used;

• Location area where the mobile station has been registered;

• Identity of the SGSN where the MS has been registered, if applicable;

• Last known location and the initial location of the MS.

In addition, there can be lots of optional data, depending on what features the network

supports [e.g., CAMEL or local service area (LSA)]. The VLR may also contain

supplementary service parameters. The procedures the VLR has to perform include the

following:

• Authentication procedures with the HLR and the AuC;

• Cipher key management and retrieval from the home HLR/AuC;

• Allocation of new TMSI numbers;

• Tracking of the state of all MSs in its area;

• Paging procedure support (retrieval of the TMSI and the current location area).

24

Home location register (HLR): This database contains all the administrative information

about each subscriber along with their last known location. In this way, the UMTS

network is able to route calls to the relevant RNC / Node B. When a user switches on

their UE, it registers with the network and from this it is possible to determine which

Node B it communicates with so that incoming calls can be routed appropriately.

Even when the UE is not active (but switched on) it re-registers periodically to ensure

that the network (HLR) is aware of its latest position with their current or last known

location on the network.

The HLR contains the permanent subscriber data register. Each subscriber information

profile is stored in only one HLR. The HLR can be implemented in the same equipment as

the MSC/VLR, but the usual arrangement is to have the MSC/VLR as one unit, and the

HLR/AuC/EIR combination as another unit. One PLMN can have several HLRs. The

subscriber information is entered into the HLR when the user makes a subscription. There

are two kinds of information in an HLR register entry, permanent and temporary. The

permanent data never change, unless the subscription parameters are changed. An example

of this is the user who adds some supplementary services to his/her subscription. The

temporary data contain things like the current (VLR) address and ciphering information,

which can change quite often, even from call to call. Temporary data are also sometimes

conditional; that is, it is not always there. A subscriber data entry can be accessed by either

IMSI or MSISDN [5].

The permanent data in the HLR include among others:

• International mobile subscriber number (IMSI), which identifies the subscriber (or actually

his or her SIM card) unambiguously;

• MS category information;

• Possible roaming restrictions;

• Closed user group (CUG) membership data;

• Supplementary services parameters;

• Authentication key;

25

• Network access mode (NAM), which determines whether the user can access the GPRS

networks, non-GPRS networks, or both.

In addition, if GPRS is supported, PDP addresses are included. Again, there may be lots of

other entries, depending on what features the network supports.

The temporary data include the following:

• Local mobile station identity (LMSI);

• Triplet vector; that is, three authentication and ciphering parameters: (1) random number

(RAND), (2) signed response (SRES), and (3) ciphering key (Kc);

• Quintuplet vector; that is, five authentication and ciphering parameters: (1) random

challenge (RAND), (2) expected response (XRES), (3) cipher key (CK), (4) integrity key

(IK), and (5) authentication token (AUTN);

• MSC number;

• VLR number (the identity of the currently registered VLR).

In addition, if GPRS is supported, SGSN and GGSN numbers (SS7 addresses) are included

The HLR also forwards the charging information to the billing center.

Equipment identity register (EIR): The EIR is the entity that decides whether given UE

equipment may be allowed onto the network. Each UE has a number known as the

International Mobile Equipment Identity. This number, as mentioned above, is installed in

the equipment and is checked by the network during registration.

The equipment identity register (EIR) stores the international mobile equipment identities

(IMEIs) used in the system. An EIR may contain three separate lists:

White list: The IMEIs of the equipment known to be in good order;

Black list: The IMEIs of any equipment reported to be stolen;

Gray list: The IMEIs of the equipment known to contain problems (such as faulty software)

that are not fatal enough to justify barring them.

At a minimum an EIR must contain a white list. It is unfortunate that the black list and the

checks against it are not mandatory, as stolen mobile phones can now be used in some

26

networks that have a weaker security policy. And it is even more unfortunate that changing

the IMEI code of a handset is not yet illegal in many countries.

Typically a PLMN has only one EIR, which then interconnects to all HLRs in the network.

Note that EIR handles IMEI values, not IMSIs or any other identities. The IMEI is (or

should be) a unique identity of a mobile handset assigned when it is manufactured.

Authentication centre (AuC) : The AuC is a protected database that contains the secret key

also contained in the user's USIM card. The authentication center (AuC) is associated with

an HLR. The AuC stores the subscriber authentication key, Ki, and the corresponding IMSI.

These are permanent data entered at subscription time. The Ki key is used to generate an

authentication parameter triplet (Kc, SRES, RAND) during the authentication procedure.

Parameter Kc is also used in encryption algorithms. An AuC physically always exists with

an HLR. The MAP interface between them (the H interface) has not been standardized [3,5].

27

Reference:

Mooi Choo Chuah and Qinqing Zhang (2006) Design and Performance of 3G Wireless

Networks and Wireless LANS, Springer Science and Business Media Inc.

Jeffrey Bannister, Paul Mather and Sebastian Coope (2004) Convergence Technologies for 3G

Networks IP, UMTS, EGPRS and ATM.,John Wiley and Sons LTD.

Juha Korhonen (2003) Introduction to 3G Mobile Communications, Artech House, Inc.

G.Gomez and R. Sanchez (2005) End to End Quality of Service Over Cellular Networks, Data

Service Performance and Optimization in 2G/3G. John Wiley and Sons LTD.

Monoru Etoh (2005) Next Generation Mobile System 3G and Beyond, John Wiley and Sons.

Willie W, Broadband Wireless Mobile 3G and Beyond. John Wiley and Sons Ltd.

Dr. Jonathan P. Castro, The UMTS Network and Radio Access Technology; Interface

Technique for Future Mobile Systems. John Wiley and Sons Ltd.

Williams C.Y. Lee (2006) Wireless and Cellular Telecommunication, McGraw Hill, Singapore.

V. Vangi, A. Damnjanovic and B. Vojcic (2004) The cdma2000 System for Mobile

Communications, Prentice-Hall PTR.

S.C. Yang (2004) 3G CDMA 2000, Artech House, Inc., Boston.

B. Pelletier and H. Leib (2004) UPCS Third Generation CDMA system, Study of the Physical

Layer. Wireless Communication Group at Mc Gill University.

H. Holma and Antti Toskala (2001) WCDMA for UMTS, John Wiley and Sons.

C. Smith and D. Collins (2002) 3G Wireless Works, McGraw-Hill.

D. Collins (2001) Carrier Grade Voice Over IP, McGraw Hill.

28

V.K. Garg (2000) IS-95 CDMA and cdma2000, Prentice- Hall PTR.

D. J. Goodman (1997) Wireless Personal Communications Systems. Addison-Wesley,

Reading, MA

O. Sallent, J. Perez-Romero, R. Agusti et al. (2003) ‘Provisioning multimedia wireless

networks for better QoS: RRM strategies for 3G W-CDMA.’ IEEE Communications

Magazine 41(2), 100–107

Walke, B., Mobile Radio Networks, New York: Wiley,

Silventoinen, M. (1999) “Indoor Base Station Systems,” in GSM—Evolution Towards 3rd

Generation Systems, Z. Zvonar, P. Jung, and K. Kammerlander (eds.), Norwell, MA:

Kluwer Academic Publishers.

Roberts, J., U. Mocci, and J. Virtamo (1996) “Broadband Network Teletraffic,” COST 242

report, Berlin: Springer-Verlag.

A. S. Tanenbaum (2003) Computer Networks, 4th edn. Prentice Hall, Upper Saddle River,NJ.

H. Taub, D. Schilling (1986) Principles of Communication Systems. 2nd edn. McGraw-Hill,

New York.

A. J. Viterbi (1995) CDMA: Principles of Spread Spectrum Communication. Addison-Wesley,

Reading, MA.

A. J. Viterbi (1967) ‘Error bounds for convolutional codes and an asymptotically optimum

decoding algorithm’, IEEE Transactions on Information Theory IT-13, 260–269.

D. J. Goodman (1997) Wireless Personal Communications Systems. Addison-Wesley,

Reading, MA.

H. Holma, A. Toskala (2002) WCDMA for UMTS, 2nd edn. John Wiley and Sons, Chichester.

29

J. Laiho, A. Wacker, T. Novosad (2002) Radio Network Planning and Optimisation for

UMTS,John Wiley and Sons, Chichester.

S. Floyd, V. Jacobson (1993) ‘Random early detection gateways for congestion avoidance’,

IEEE/ACM Transactions on Networking, 1(4), 397–413.

Karkkainen, K.H.A. (1995) “Influence of Various PN Sequence Phase Optimization Criteria on

the SNR Performance of an Asynchronous DS-CDMA System,” Proc. IEEE 1995

Military Communications Conference (MILCOM 95), San Diego, California.

Ojanpera, T., and R. Prasad (1998) Wideband CDMA for Third Generation Mobile

Communications, Norwood, MA: Artech House.

Holma, H., and A. Toskala (eds.), (2000) WCDMA for UMTS: Radio Access for Third

Generation Mobile Communications, New York: Wiley.

Prasad, R., W. Mohr, and W. Konhauser (2000) Third Generation Mobile Communication

Systems, Norwood, MA: Artech House.

Black, U. D. (1989) Data Networks: Concepts, Theory, and Practice, Englewood Cliffs, NJ:

Prentice Hall International.

Viterbi, A. J. (1995) CDMA: Principles of Spread Spectrum Communication, Reading, MA:

Addison-Wesley.

30

Gsm fundamentals

Business

Transcript of Gsm fundamentals